Secure communications technology, such as GlobalPlatform secure channel, IpSec, SSL/TLs etc., is available to allow two communicating systems equipped with cryptographic modules to exchange information with confidentiality and integrity. These methods rely generally on a first shared secret key establishment step and a second key derivation step whereby session keys are derived from the shared secret.
In the case of secure contact or contactless transactions between a personal device equipped with a secure Integrated Circuit Chip (ICC), such as a smart card or a mobile phone, and an access point, such as a contactless or Near Field Communication (NFC) door reader, sensitive identification information or secrets may be exchanged. However, increased security in protecting the access and exchange of the confidential information often results in reduced performance/increased user wait times. Traditionally, for contactless solutions with rapid transactions, performance has been favored over security. Such systems offer no protection or weak protection for the credential data that is communicated. A suitable comprise between performance and security is required.
In an open domain or multi-domain environment, the communicating systems may be mutually authenticated, be equipped with totally independent PKI key pairs that are either generated at the time of the transaction or generated or imported in advance. The public keys may be certified with independent but mutually trusted authorities so the communicating systems hosting the private key can be authenticated. Using zero, one or more key pairs on each side, a shared secret establishment process first derives a shared secret from a public key infrastructure (PKI) key agreement method such as Diffie-Heilman and/or Elliptic Curve Diffle Heilman (ECDH). A key transport method, such as RSA key transport, may also be used. PKI key agreement techniques are varied and extensively described, for example, in IpSec/IKE (Internet Key Exchange), the National Institute of Standards and Technology (NIST) Special Publication 800-56A entitled “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography” by Elaine Barker et al. (revised, March 2007), which is incorporated herein by reference, and/or NIST Special Publication 800-56B “Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography” by Elaine Barker et al. (August 2009), which is incorporated herein by reference. The session keys used to protect the transported data are generally derived from the resulting shared secret as a second step, which includes a key derivation and a mutual authentication step. An example of session key derivation function is provided in NIST SP 800-56A and/or NIST SP 800-108, “Recommendation for Key Derivation Using Pseudorandom Functions,” which is incorporated herein by reference.
A concern of such key establishment techniques is that the time for executing the cryptography of the first key establishment step inside the ICC of a personal security device with low computing power is prohibitive. This prevents the deployment of such technology with the desired key length or security protection level. Another concern is that the key establishment step involves sending multiple requests and response pairs to the ICC. These multiple requests may add overhead and latency to the transaction, particularly with remote systems. Also with multiple requests, the ICC includes additional functionality and resources to maintain the intermediate states between requests. In addition, in many instances, it may be desirable to efficiently authenticate a user/device without identifying the user/device to an entity that is not part of the transaction.
Accordingly, it would be desirable to provide a system that facilitates the widespread and efficient use of PKI key agreement techniques, and/or other similar key establishment techniques, in a way that still provides for appropriate security, limits the number of requests and responses and including the ability to authenticate without identifying a transaction participant to non-participants.